I am new to the business and i am looking to gain some knowledge specifically about exploiting PLC's and industrial control networks, i am a PLC programmer in the control systems industry and i have been tasked with identifying/exploiting vulnerabilities in our control systems.

I have already discovered several problems mainly dealing with UDP communication protocols.

I want to dig deeper and focus on two things, Buffer overflows on PLC's and exploits regarding crafting EIP/CIP messages. (Ethernet/IP)

What books/reading in general would you recommend? Any suggestions are welcome

In my experience you don't even need to go after the PLCs. The operating systems are typically so out of date and missing patches so exploitation is usually pretty trivial. Also, if you can pop the box that manages the PLCs you own everything.

Also, about 5 years ago when PLC manufacturers started adding web servers and snmp to their devices, they almost never password protected them or used hardcoded pws/snmp strings.

Finally, simple arp spoofing will usually yield tons of clear text passwords since most comm protocols are still modbus over tcp or telnet. As far as crafting CIP messages, I've never needed to do that. Total domination on ICS is usually less than a days work.

I completely agree, part of my testing is with the SCADA which includes the PC's and yes, it was ridiculously easy so i am drafting some action plans to patch those up.

And you are correct on the clear text also, i found some via UDP.

All that being said i want to push the envelope a bit more and i want to learn or at least educate myself on attacking the PLC's directly. Appart from the comms protocol FTP is the only thing open on the controllers, no SNMP. and Ethernet/IP (CIP) is the protocol of choice.

I will look at the book you recommended, Thanks!

Any ideas on what would be good reading in terms of the controller hardware side? i cant find anything online.

The second bullet is very interesting. I suspect if you fiddled with the values in those packets you might be able to get the PLCs to crash, which might mean exploitation is possible. I doubt they have much bounds checking implemented, especially if they are old. It would seem, the most malicious of intent would want to exploit this because success equals changing values or device compromise. I'm totally speculating on this attack vector, but it might be worth a look.

The hardest part would be debugging the crash. It's not like you could just open Immunity and debug the crashes. This part is out of my league.

Well, i went the UDP route and wow... let just say i have my work cutout trying to secure the control system against fairly simple attacks.

And i'm also proud to say i wrote my first metasploit module in ruby

The only built in security options on the controller are basically write protect the entire thing, which turns into an admin nightmare in order to do software updates remotely, or, restrict rights based on IP's. however, a simple sniff and spoof would defeat that.